apiVersion: v1
kind: Pod
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ""
  labels:
    component: kube-controller-manager
    tier: control-plane
  name: kube-controller-manager
  namespace: kube-system
spec:
  hostNetwork: true
  priorityClassName: system-node-critical
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: kube-controller-manager
    image: {{ k8s_cluster_component_registry }}/kube-controller-manager:{{ k8s_version }}
    command:
      - kube-controller-manager
      - --authentication-kubeconfig={{ kubernetes_etc_dirs }}controller-manager.conf
      - --authorization-kubeconfig={{ kubernetes_etc_dirs }}controller-manager.conf
      - --bind-address=0.0.0.0
      - --cluster-name=kubernetes
      - --client-ca-file={{ kubernetes_pki_dirs }}ca.pem
      - --cluster-signing-cert-file={{ kubernetes_pki_dirs }}ca.pem
      - --cluster-signing-key-file={{ kubernetes_pki_dirs }}ca-key.pem
      - --controllers=*,bootstrapsigner,tokencleaner
      - --kubeconfig={{ kubernetes_etc_dirs }}controller-manager.conf
      - --leader-elect=true
      - --port=0
      - --requestheader-client-ca-file={{ kubernetes_pki_dirs }}front-proxy-ca.pem
      - --root-ca-file={{ kubernetes_pki_dirs }}ca.pem
      - --service-account-private-key-file={{ kubernetes_pki_dirs }}sa.key
      - --use-service-account-credentials=true
    startupProbe:
      failureThreshold: 24
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 10257
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 200m
    env:
    - name: TZ
      value: "{{ time_location }}"
    volumeMounts:
    - mountPath: {{ kubernetes_etc_dirs }}pki
      name: k8s-certs
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
    - mountPath: {{ kubernetes_etc_dirs }}controller-manager.conf
      name: kubeconfig
      readOnly: true
    - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
      name: flexvolume-dir
    - mountPath: /usr/share/zoneinfo
      name: usr-local-timezone
      readOnly: true
  volumes:
  - hostPath:
      path: /usr/share/zoneinfo
      type: DirectoryOrCreate
    name: usr-local-timezone
  - hostPath:
      path: {{ kubernetes_etc_dirs }}pki
      type: DirectoryOrCreate
    name: k8s-certs
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs
  - hostPath:
      path: {{ kubernetes_etc_dirs }}controller-manager.conf
      type: FileOrCreate
    name: kubeconfig
  - hostPath:
      path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
      type: DirectoryOrCreate
    name: flexvolume-dir
